In a month-long test pitting the latest versions of the browsers against 754 samples of malware, IE had a block rate of 99.96 percent, while Chrome came in a distant second at 83.16 percent. The remaining competitors fared poorly with success rates at around 10 percent for Safari and Firefox, and an abysmal block rate of 1.87 percent for Opera.

Credit: NSS Labs

A browser's ability to detect and block malware has become increasingly important. Malware downloads via Web browsers are the most common infection vector for cyber criminals seeking to swipe passwords, engage in financial or click fraud, or install bots on target machines. Any organization could be one malware download away from becoming the next victim of a complex APT attack, and relying on end-users to exercise necessary caution to protect their systems as they browse is an invitation for infection.

For the test, which ran from March 13 through April 9, NSS started with a sample of 11,296 unique and suspicious URLs, 754 of which proved to be active and malicious. They tested each browser against each active URL every six hours. In total, they performed 550 test runs with the five browsers.

Internet Explorer 10 dominated the test with a block rate of 99.96 percent, while Chrome 25/26 blocked 83.16 percent of malware. Both browsers employ a CAMP (content agnostic malware protection) scheme: IE is equipped with Microsoft's Application Reputation technology, which uses a variety of sources to set a threshold of how trustworthy an application appears to be. Chrome uses Google's Download Protection technology, which provides reputation services for executable files.

However, Chrome is more reliant on CAMP, a technology that is flawed, according to NSS, because its success depends on user knowledge. "CAMP technology is by definition content agnostic and therefore more susceptible to false positives and user error," according to the report. "In order to offset the higher false positive rate of CAMP technologies, the user is given a choice to block or allow content that is flagged as potentially untrustworthy, based upon reputational schemes. Good software that is not well known will be blocked. Malicious software that has been engineered to have excellent reputational aspects may evade protection. Depending on an untrained user to make the correct choice is unwise."

Without Google's Download Protection technology, Chrome would have a malware-block rate of just 10 percent, according to NSS, putting it on par with Safari 5 and Firefox 19, both of which utilize Google's Safe Browsing API. That API is in and of itself "not up to the task of blocking malicious downloads," NSS says.

Opera, meanwhile, with its block rate of 1.87 percent, "uses several partners, including the Russian Internet company Yandex, to increase browsing safety, but the sum of its efforts has been inconsequential."

"With just a few lines of code, Firefox, Safari, and Opera could displace Internet Explorer and Chrome as the leaders of protection against socially engineered malware," according to NSS. "However, describing every download as "malicious" would break the Internet. Finding a balance between accuracy and safety is the challenge for browsers at the front of protection technology."

In contrast, Chrome blocked zero-day threats at a rate of 48.54 percent; Safari 5 succeeded at a rate of 11.8 percent; Firefox's rate was 7.82 percent; and Opera's was just 0.8 percent.

"There are add-ons for Firefox and Safari that help to improve security," the report notes. "In general, these protective technologies are neither used nor understood by the non‐technical users. For the average user, Internet Explorer 10 or Chrome is recommended. Users choosing Safari, Firefox, or Opera will want to use add‐ons and other technologies to augment their protection where possible."